The main purpose of this block is to provide a detailed and clear description of the different controls to be assessed necessary to ensure that security requirements are met, including logical, physical, personnel and archive security.

Security procedure

  • Physical security

It refers to the physical controls that you have in place. The most basic ones are: having fire prevention measures, access controls, etc...

o What are access lists?
Access lists are records that control who is authorized to access certain areas or physical resources. They should be reviewed regularly to ensure that only authorized personnel maintain access, removing those who no longer require permissions.

o What are considered key areas?
Key areas are critical areas within a facility that require special protection, such as server rooms, confidential files, or control centers. This helps prevent unauthorized access and facilitates rapid response to security incidents.

o Who are the security personnel or guards?
Security personnel or guards are professionals responsible for physically monitoring facilities to prevent intrusions, thefts or security incidents.

o What are the physical security measures?
Physical security measures aim to protect information storage devices, such as servers and media drives, from unauthorized access or physical damage. These measures may include secure rooms, restricted access systems, surveillance cameras, and environmental controls such as temperature and fire sensors.

o What is an asset inventory?
An asset inventory is a document that records and details all of an organization's assets, which can be physical or digital, with the aim of assisting in the management of information security. This inventory allows the identification, assessment and management of the risks associated with these assets to adequately protect them.

  • Logical security

It refers to technological controls that you have in place to secure your equipment (computers, etc.) from any access by a third party. The most basic ones are: having a password that is longer than X characters, that must be changed periodically, that must contain special characters, etc.

o What is logical security?
Logical security is a set of measures aimed at protecting computer systems and digital data against various threats (unauthorized access, misuse, modification or destruction). These measures include the use of firewalls, anti-virus, strong passwords and security education. The main threats they combat are malicious software (malware), distributed denial of service (DDoS) attacks and brute force attacks to decrypt passwords.

o What are access privileges?
Access privileges refer to the rights or permissions granted to users or systems to access specific resources within a network or computer system. These privileges determine what a user or process can do within the system, such as view, modify, delete, or run certain files or applications.

o What are security monitoring tools?
Security monitoring tools are systems that detect and record unusual or suspicious activities on networks, servers, and devices. They include intrusion detection systems (IDS), firewalls, audit logs, and traffic analysis tools. These tools help identify potential security threats and vulnerabilities in real time.

o Procedures for responding to security events and possible intrusions
Procedures for responding to security events and intrusions include protocols for detecting, containing, eradicating, and recovering from threats. These include notification to response teams, isolation of affected systems, incident analysis, and restoration of services. Follow-up investigations are also conducted to prevent future incidents.

o Established process for managing and applying security patches
An established process for managing and applying security patches is a set of organized steps and practices that ensure that security updates and fixes provided by software manufacturers to address vulnerabilities, bugs, or security issues in applications, operating systems, or other system components are managed and applied in a systematic, controlled, and efficient manner across an organization.

o What are known vulnerabilities?
Known vulnerabilities are flaws or weaknesses in systems or software that can be exploited by attackers. They are tracked through security reports and updates from manufacturers. Patches, software updates, and hardened security configurations are applied to mitigate them.

o Safe practices during software development
Secure code development involves following a set of practices that minimize risks and vulnerabilities. First, it is essential to perform input validations to avoid injection attacks. It is also necessary to ensure that the code adequately manages authentications and authorizations, preventing unauthorized access. The use of encryption of sensitive data is essential to guarantee its confidentiality. In addition, secure error management must be carried out that does not reveal critical information. Finally, the code must be regularly audited and tested to identify and correct vulnerabilities before they reach production.

o Security testing and vulnerability analysis
Security testing and vulnerability analysis are assessments that identify security flaws in internally developed applications. These tests include vulnerability scans, penetration tests, and code reviews to detect errors. The goal is to correct weaknesses before they can be exploited by attackers.

o Post-incident follow-up
Post-incident monitoring and analysis is key to improving security measures and responding to future incidents. It allows you to identify the root cause of the problem, ensuring that specific actions are taken to prevent it from happening again. It also helps you understand the real impact of incidents, providing valuable lessons for the entire organization. In addition, this process helps reduce the time for detection, diagnosis and mitigation, improving overall effectiveness against potential threats.

  • Personnel safety

It refers to controls related to personnel. For example, leave procedures, training, etc.

o Procedure for reporting loss or theft of devices that may contain confidential information
A lost or stolen device notification procedure is a set of defined steps that must be followed when it is discovered that a device with confidential information has been lost or stolen. The goal is to minimize the risks associated with information loss and ensure a quick and effective response.

o Access permissions
Access permissions are the rights granted to employees to access certain areas, systems, or information within an organization. This helps prevent unauthorized access and maintain information security.

o Final employment process
The end-of-employment process for removing access and privileges is a set of steps that are applied when an employee leaves the organization. It includes the immediate revocation of all access permissions to systems, areas, and sensitive information, as well as the return of any equipment and credentials.

o Security responsibilities when leaving the organization
Security responsibilities upon leaving the organization include ensuring that workers understand their obligations even after the end of their employment relationship, helping to protect the organization against potential security risks.

  • File security

Refers to controls related to the file. For example, access controls, security processes.

o Are there clear policies on the handling of confidential files?
Confidential file handling policies are guidelines that establish how sensitive information should be managed, stored, shared, and destroyed. The goal is to protect information from unauthorized access and ensure compliance with privacy regulations.

o Recovery tests to ensure that files can be effectively restored
Recovery testing is a simulation or test that is performed to verify that files and systems can be effectively restored after an incident, such as data loss or system failure. These tests involve restoring data from backups and ensuring that they function properly.

o Are there clearly defined authorization levels to limit access according to roles and responsibilities?
Authorization levels are classifications that determine who can access information or resources based on roles and responsibilities within the organization. These levels ensure that only authorized personnel can access sensitive data, minimizing the risk of exposure or inappropriate use.

Consult the ER idCAT audit questionnaire

You might be interested in:

For any queries you can contact the audit support email.